Q: What is the industry and RILA doing in response to recent cybersecurity attacks?

A: Retailers place extremely high priority on data security and they invest tremendous resources to prevent attacks; however, cyber-criminals are persistent and their methods of attack are increasingly sophisticated. That is why RILA’s Board of Directors recently approved the RILA Cybersecurity and Data Privacy Initiative, which seeks to enhance existing cybersecurity and privacy efforts, inform the public dialogue, and build and maintain consumer trust on three major sections: Cybersecurity, Improved Payments Security, and Consumer Privacy.

Q: Why is protecting against cybersecurity a shared responsibility?

A: The safety and security of our customer’s payment card data is of the utmost importance for the retail industry. Risks associated with cybersecurity attacks are increasingly threatening the role that merchants play in commerce. Protecting against cybersecurity threats targeting payment data is the shared responsibility of merchants, financial institutions that issue cards, and card networks. No single process or technology can prevent cyber-attacks and fraud; rather, a layered approach is necessary to reduce and mitigate fraud and risk.

Q: What steps do merchants take today to protect payment card information?

A: At a minimum, PIN functionality should be added to all cards today so that they have an extra layer of protection through dual-factor authentication, which is the combination of using something the purchaser has (i.e. the physical card), and using something the customer knows (i.e. the PIN). According to the Federal Reserve, simply using a PIN on debit card transactions makes the transaction 700% more secure than when a PIN is not used (i.e. a signature debit transaction).1 In 2013, Visa and MasterCard jointly petitioned the Australian Government to completely eliminate signature authentication and move to PINs for all transactions, writing “It is much more difficult for a fraud perpetrator to ascertain a PIN than to forge a signature.

Accordingly, one of the most effective ways of combatting fraud is to make the use of PIN for customer verification compulsory.”2 RILA supports adding PIN functionality to all cards as a short-term step.

A: Magnetic stripe technology was developed in the 1970s and while it is still safe for consumers to continue to use their existing cards, criminal elements have found ways to relatively easily compromise and counterfeit cards that carry a magnetic stripe. For example, the equipment needed to create a counterfeit magnetic stripe card can be obtained for less than $100. Regulators and law enforcement have expressed support for moving toward more advanced types of card technology, such as the Chip & PIN cards used in Europe and elsewhere throughout the world today. The Federal Reserve Bank of Kansas City reported in 2013 that “Counterfeiting a magnetic-stripe card is far easier than counterfeiting a computer-chip card.”3

Q: What are Chip & PIN cards and where are they used?

A: Chip & PIN cards, also known as smart chip or EMV cards, have a microchip imbedded in them that allows for dynamic payments transactions. The PIN provides an additional layer of security while the Chip contains the card information that previously was found on the magnetic stripe of traditional cards. Cards with Chips on them use encryption to protect sensitive data, changing the verification code with each authentication and which has the similar benefit of regularly changing a security password for computer network access. Chip & PIN cards also can send messages to card issuers that allow the issuer to authenticate the transaction with greater certainty than can be done with a magnetic stripe. Chip & PIN cards have been widely adopted throughout Europe, Canada, and Asia. In the United Kingdom, Chip & PIN cards cut card fraud by nearly 50% from 2008 to 2011. According to the Federal Reserve Bank of Kansas City, U.S. adoption of Chip & PIN cards could cut fraud losses by as much as 40 percent.4 RILA supports the adoption of Chip & PIN cards in the U.S.; many merchants already have Chip & PIN-enabled terminals in place today or on track to meet the October 2015 date for when fraud liability will be shifted to merchants if they don’t have the terminals in place.

Q: When will we see Chip & PIN cards in the United States?

A: Unfortunately, we may never see Chip & PIN cards in the United States. Instead, Visa, MasterCard, American Express and Discover are proposing to bring a variation of this technology, known as Chip & Signature or Chip & Choice, to the U.S. without the crucial functionality of PINs, which the Federal Reserve has reported makes debit card transactions 700% more secure. Merchants have very serious concerns that U.S. consumers and merchants are being shortchanged of the more secure Chip & PIN technology. According to the Federal Reserve Bank of Kansas City, “Many countries that use EMV payment cards do not allow cardholder authentication with signatures. Issuers in the United States, however, appear likely to continue to allow signature authorization on EMV debit and credit card transaction. As a result, fraud on lost or stolen cards may not decline in the United States.” Further, “If weaker authorization protocols continue, such as signature for card payments rather than PINs, the degree of fraud reduction that can be achieved will be limited.”5

Q: But doesn’t Visa and MasterCard support Chip & PIN abroad?

A: Yes. Chip & PIN is the standard throughout the rest of the world. For example, Visa Canada’s “Benefits of Chip & PIN” website says “Chip cards and Chip terminals help make a secure transaction system even more secure by validating the cardholder’s Chip & PIN. This enhances the security of your card whenever you use it in a face-to-face transaction.” Similarly, MasterCard Canada’s “Chip and PIN, A More Secure Way To Pay: Chip Cards” website says that “Instead of signing to verify a payment, you enter a private Personal Identification Number (PIN). The data on the chip is extremely difficult to copy or change, protecting against counterfeiting fraud, and the PIN provides added protection if your card is lost or stolen.”6

Q: Who pays for fraud?

A: Both merchants and card issuers. A 2013 study by the Federal Reserve on debit card fraud losses found that cyber security fraud losses are relatively evenly divided among merchants and card issuers: for more secure transactions requiring a PIN the card issuer absorbed a greater share of the fraud; for less secure transactions (i.e. signature debit) merchants absorb an increasing share of fraud.7 For signature debit transactions, merchants absorb 45 percent of the losses and card issuers absorb 54 percent of the losses. For PIN debit transactions, merchants absorb 2 percent of the losses and card issuers absorb 96 percent of the losses. And for card-not-present transactions, which include online, telephone and catalogue sales, merchants absorb 68 percent of losses and card issuers absorb 29 percent of the losses.

Q: How are card issuers compensated for costs associated with reissuing cards following a cyber-breach?

A: Contrary to the claim that card issuers receive “pennies on the dollar” for card reissuance, by contract card issuers are reimbursed for fraud losses and card reissuance costs based upon a formula agreed to by the card issuer and card networks even if no fraudulent activity has actually occurred on the card. For example, according to the MasterCard Account Data Compromise User Guide, under a formula that card issuers and MasterCard have agreed to, a small financial institution is reimbursed by the merchant at a cost of $2.69 per magnetic stripe card. If this same card issuer had issued a Chip & PIN card – which experts agree would render card data stolen from cyber-attacks useless – the small financial institution would be reimbursed $3.66 per card.8 Visa maintains a similar reimbursement schedule.

A: That would be a good question to ask Visa and MasterCard directly, but unfortunately they haven’t been able to answer that. MasterCard’s Account Data Compromise User Guide, which outlines terms that card issuers and MasterCard have agreed to by contract, say that card issuers are compensated on a per-card basis for 60 percent of the cards they have to reissue; the other 40 percent of cards are not eligible for reimbursement because: 1) they would have had to been replaced due to regular card expiration and card replacement cycles, and 2) a certain percentage of fraud (either occurring at the banks’ or merchants’ level) would have occurred on any given card due to normal fraud rates.9

2 Visa Worldwide Pte Limited and Visa AP (Australia) Pty Ltd and MasterCard Asia/Pacific Pte Ltd Submission to the Australian Competition and Consumer Commission in support of Application for Authorisation. July 4, 2013.